michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-02-03 14:13:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix various XSS related issues

Browse Source
This commit is contained in:
iliajie
2023-08-03 17:21:40 +03:00
parent b1ee7cbf53
commit bea827c0b7
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cron/index.cgi
View File

@@ -108,7 +108,7 @@ foreach $u (@ulist) {
$cmdidx = scalar(@cols); $cmdidx = scalar(@cols);
push(@cols, &ui_link("edit_env.cgi?idx=".$idx, push(@cols, &ui_link("edit_env.cgi?idx=".$idx,
"<i>$text{'index_env'}</i> ". "<i>$text{'index_env'}</i> ".
"<tt>$job->{'name'} = $job->{'value'}</tt>") ); "<tt>@{[&html_escape($job->{'name'})]} = @{[&html_escape($job->{'value'})]}</tt>") );
$donelink = 1; $donelink = 1;
} }
elsif (@exp && $access{'command'}) { elsif (@exp && $access{'command'}) {
@@ -156,7 +156,7 @@ foreach $u (@ulist) {
# Show comment # Show comment
if ($config{'show_comment'} || $userconfig{'show_comment'}) { if ($config{'show_comment'} || $userconfig{'show_comment'}) {
push(@cols, $job->{'comment'}); push(@cols, &html_escape($job->{'comment'}));
} }
# Show next run time # Show next run time

4
mailcap/index.cgi
View File

@@ -23,8 +23,8 @@ if (@mailcap) {
foreach $m (@mailcap) { foreach $m (@mailcap) {
print &ui_checked_columns_row([ print &ui_checked_columns_row([
&ui_link("edit.cgi?index=".$m->{'index'}, $m->{'type'}), &ui_link("edit.cgi?index=".$m->{'index'}, $m->{'type'}),
$m->{'program'}, &html_escape($m->{'program'}),
$m->{'cmt'} || $m->{'args'}->{'description'}, &html_escape($m->{'cmt'} || $m->{'args'}->{'description'}),
$m->{'enabled'} ? $text{'yes'} : $m->{'enabled'} ? $text{'yes'} :
"<font color=#ff0000>$text{'no'}</font>", "<font color=#ff0000>$text{'no'}</font>",
], \@tds, "d", $m->{'index'}); ], \@tds, "d", $m->{'index'});

8
webmin/gnupg-lib.pl
View File

@@ -34,8 +34,8 @@ while(<GPG>) {
my $k = { 'size' => $1, my $k = { 'size' => $1,
'key' => $2, 'key' => $2,
'date' => $3, 'date' => $3,
'name' => $4 ? [ $4 ] : [ ], 'name' => &filter_javascript($4) ? [ &filter_javascript($4) ] : [ ],
'email' => $5 ? [ $5 ] : $4 ? [ "" ] : [ ], 'email' => &filter_javascript($5) ? [ &filter_javascript($5) ] : &filter_javascript($4) ? [ "" ] : [ ],
'index' => scalar(@rv) }; 'index' => scalar(@rv) };
if ($k->{'name'}->[0] && if ($k->{'name'}->[0] &&
$k->{'name'}->[0] =~ /\[(expires|expired):\s+(\S+)\]/) { $k->{'name'}->[0] =~ /\[(expires|expired):\s+(\S+)\]/) {
@@ -54,8 +54,8 @@ while(<GPG>) {
elsif (/^uid\s+\[[^\]]+\]\s+(.*)\s+<(\S+)>/ || elsif (/^uid\s+\[[^\]]+\]\s+(.*)\s+<(\S+)>/ ||
/^uid\s+(.*)\s+<(\S+)>/ || /^uid\s+(.*)\s+<(\S+)>/ ||
/^uid\s+(.*)/) { /^uid\s+(.*)/) {
push(@{$k->{'name'}}, $1); push(@{$k->{'name'}}, &filter_javascript($1));
push(@{$k->{'email'}}, $2); push(@{$k->{'email'}}, &filter_javascript($2));
} }
elsif (/^\s+([A-F0-9]{0,40})/) { elsif (/^\s+([A-F0-9]{0,40})/) {
$k->{'key'} = $1; $k->{'key'} = $1;